Malware Analysis Report

2024-11-16 13:40

Sample ID 240531-q9k4tsbc98
Target проверка.exe
SHA256 45814083c150dd3d946718f8728a1cdad2f9e68318e575c479263431ccf04abb
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45814083c150dd3d946718f8728a1cdad2f9e68318e575c479263431ccf04abb

Threat Level: Known bad

The file проверка.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 13:57

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 13:57

Reported

2024-05-31 14:00

Platform

win7-20240508-en

Max time kernel

50s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1440 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 1440 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 1440 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {545BBF4D-698C-4C36-9A75-8B064344AA55} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 speed-wheat.gl.at.ply.gg udp

Files

memory/1972-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/1972-1-0x0000000001160000-0x0000000001180000-memory.dmp

memory/3036-6-0x0000000002830000-0x00000000028B0000-memory.dmp

memory/3036-7-0x000000001B580000-0x000000001B862000-memory.dmp

memory/3036-8-0x0000000002810000-0x0000000002818000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 431214da73f51b8c861e6815ae96c45c
SHA1 a9cbba4ca77836cac751dd9414d0f8435fb6372a
SHA256 a386fe90d0697fb8dba1fd605f322dd7983b0830923df29d04fe89362fa54e45
SHA512 c57970adcd3f0163d15a3d14a1185d0062a2120a5c013013ea29242381c58949540ec23f8e6865c069da444e206b75e8d7f24193a7a4e7b26628f0d9808b0bb2

memory/2884-14-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2884-15-0x0000000001E90000-0x0000000001E98000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1972-31-0x000000001B4D0000-0x000000001B550000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 db27649bfb89f40ec3ff301541c598f5
SHA1 a16885dd0b352e970c45bad6a691e155f9ccc8f1
SHA256 45814083c150dd3d946718f8728a1cdad2f9e68318e575c479263431ccf04abb
SHA512 3b35ea6511b4e047bd77a9fa525e489542379f5ddf61f49986cc92bfb8411a7d6673a3febf2d540e3dd03c7a73f17673c0c6e5d0d41f81970c18ff9ef3fe32fb

memory/2404-35-0x00000000013D0000-0x00000000013F0000-memory.dmp

memory/1972-36-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

memory/1972-37-0x000000001B4D0000-0x000000001B550000-memory.dmp

memory/2192-38-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2192-39-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 13:57

Reported

2024-05-31 14:00

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 5008 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 160.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.143.123.92.in-addr.arpa udp

Files

memory/5008-0-0x00007FFFD41B3000-0x00007FFFD41B5000-memory.dmp

memory/5008-1-0x00000000004D0000-0x00000000004F0000-memory.dmp

memory/5060-2-0x0000011CA8400000-0x0000011CA8422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0blmswh.mk3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5060-12-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

memory/5060-13-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

memory/5060-14-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

memory/5060-17-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98baf5117c4fcec1692067d200c58ab3
SHA1 5b33a57b72141e7508b615e17fb621612cb8e390
SHA256 30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512 344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

memory/5008-56-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 db27649bfb89f40ec3ff301541c598f5
SHA1 a16885dd0b352e970c45bad6a691e155f9ccc8f1
SHA256 45814083c150dd3d946718f8728a1cdad2f9e68318e575c479263431ccf04abb
SHA512 3b35ea6511b4e047bd77a9fa525e489542379f5ddf61f49986cc92bfb8411a7d6673a3febf2d540e3dd03c7a73f17673c0c6e5d0d41f81970c18ff9ef3fe32fb

memory/5008-60-0x00007FFFD41B3000-0x00007FFFD41B5000-memory.dmp

memory/5008-61-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Delta.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1